I'd set up Apache to terminate the SSL connection, so that the Tomcat only sees HTTP. If the web app needs to know whether a request came in over HTTPS or not, then there's an HTTP header Apache can set to indicate that.